Massive Volkswagen Data Leak Reveals 800,000 EV Users

A massive data leak involving more than 800,000 Volkswagen electric vehicles (EVs) left sensitive user information, including location data and personal contact details, unprotected on the internet. Discovered by a whistleblower and reported by Der Spiegel, the breach highlighted significant security flaws in VW subsidiary Cariad’s software, exposing vulnerabilities in modern vehicle data management.

GPS locations are revealed

The data breach, which remained undetected by VW for months, involved precise GPS data and personal information linked to owners of VW, Audi, Seat, and Škoda vehicles. Stored on an unsecured Amazon Cloud server, this dataset allows anyone with basic technical skills to access:

• Detailed location logs showing where and when cars were parked.
• Owners’ personal information, such as names, email addresses, and phone numbers.
• Insights into users’ routines, workplaces, recreational areas, and even sensitive visits, such as government offices, hospitals, and private establishments.

This exposed data risks exploitation by criminals, espionage actors, or hackers, according to Linus Neumann of the Chaos Computer Club (CCC), who likens the situation to leaving “a large keychain under a thin doormat .”

The breach affected not only individual users but also institutional entities. Der Spiegel reports highlights the following cases:

1. Politician Nadja Weippert, a member of the Green Party and privacy advocate, discovered that her movements were meticulously recorded and linked to identifiable personal details. He described the situation as “shocking.”
2. Markus Grübel, a member of the CDU Bundestag, expressed similar concerns, saying the event had damaged confidence in the auto industry.
3. The Hamburg Police, which has 35 EVs in its fleet, is one of the affected parties.

Data from several countries, including Germany, Israel, and Ukraine, are accessible. In some cases, GPS data is accurate to within 10 centimeters.

Answer of Love

In response to the breach, Cariad, the software arm of Volkswagen, acknowledged the issue, saying that the Chaos Computer Club (CCC) pointed to a misconfiguration of two IT applications on November 26, 2024. .day. The misconfiguration, which allowed access to pseudonymized car data, is gone.

Cariad stressed that the data involved was not sensitive personal information such as passwords or payment details, and no vehicles or services were affected. Only some vehicle data from online connected vehicles is affected. The company also confirmed that no unauthorized third-party access occurred, and they reported the incident to the relevant authorities.

Cariad clarifies that the data, such as charging behavior and habits, are anonymous and used to improve future car features, such as the battery and charging software. No personal user profile is created, and customers have the option to disable online services at any time.

VW assures customers that all data processing is done in compliance with legal requirements and customer consent, with strong privacy measures, including data separation, pseudonymization, and strict limits to use the data.

However, this latest security lapse at Volkswagen highlights a continuing pattern of systemic vulnerabilities in the company’s IT infrastructure and data management practices.

VW security failures

Similar concerns have been raised in previous reports, including a 20 year mistake of dealership software that exposes customer data, a five-year spy operation of Chinese hackers targeting VW’s intellectual property, and critical vulnerabilities in vehicle systems which allows remote machine destruction and data theft. Together, these incidents highlight the urgent need for VW and other automakers to prioritize cybersecurity as a fundamental aspect of their digital and connected services.